cc-wrapper: check ld hardening capabilities in stdenv
This commit is contained in:
parent
9e211203da
commit
3c06e5f6f7
|
@ -4,8 +4,12 @@ hardeningCFlags=()
|
|||
hardeningLDFlags=()
|
||||
hardeningDisable=${hardeningDisable:-""}
|
||||
|
||||
if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then
|
||||
hardeningDisable+=" bindnow relro"
|
||||
if [[ -z "@ld_supports_bindnow@" ]]; then
|
||||
hardeningDisable+=" bindnow"
|
||||
fi
|
||||
|
||||
if [[ -z "@ld_supports_relro@" ]]; then
|
||||
hardeningDisable+=" relro"
|
||||
fi
|
||||
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi
|
||||
|
|
|
@ -237,8 +237,12 @@ stdenv.mkDerivation {
|
|||
cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook
|
||||
rm $out/nix-support/setup-hook.tmp
|
||||
|
||||
# some linkers on some platforms don't support -z
|
||||
export ld_supports_bindnow=$([[ "$($ldPath/ld -z now 2>&1 || true)" =~ "un(known|recognized) option" ]])
|
||||
export ld_supports_relro=$([[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "un(known|recognized) option" ]])
|
||||
|
||||
substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh
|
||||
cp -p ${./add-hardening.sh} $out/nix-support/add-hardening.sh
|
||||
substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh
|
||||
cp -p ${./utils.sh} $out/nix-support/utils.sh
|
||||
''
|
||||
+ extraBuildCommands;
|
||||
|
|
Loading…
Reference in New Issue